Tag Archives: phishing

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

You receive a call from a purported IRS agent claiming you owe money and must pay it immediately. If you can’t (or don’t) come up with the money pronto, well, you can expect a police officer or U.S. marshal at your door, and you will be arrested and thrown in jail. In a 21st-century version of this scheme, you receive a robocall where an automated voice directs you to call a specific number to settle your debts with Uncle Sam. If you don’t call back right away, you could be anything from sued to arrested to deported, or maybe you’ll just have your driver’s license revoked.

It’s an inelegant ruse, of course. The prize? Your hard-earned cash and, for good measure, some of your personally identifiable information (PII).

I probably don’t have to explain this hot-and-heavy approach because you’ve probably been on the receiving end of one of these phone calls. IRS scams are so prevalent they topped the Better Business Bureau’s top scams of 2015 by a mile — and that was well before the IRS itself issued a warning to taxpayers saying there was a “summer surge” last year in IRS impersonation scams, with a new variant asking poor, unsuspecting taxpayers to fork over payment on iTunes gift cards.

A sigh of relief?

If you think the major bust in India means you can breathe a little easier every time your phone rings, unfortunately, you’re wrong.

Make no mistake, those nine phony call centers represent only a small fraction of all the nefarious enterprises out there. Consider the latest stats from the U.S. Treasury Inspector General for Tax Administration published in The Wall Street Journal: 8,000 victims have paid more than $47 million because of these completely phony “IRS agents.”

Scams are akin to the old whack-a-mole game or, to put an even finer point on it, a Lernaean hydra — cut one of them down, and two more will spring forth. In fact, around the same time police were raiding the bogus call centers, reports had surfaced that there was a new IRS scam in town: Fraudsters have started to send out notices about fake IRS tax bills related to the Affordable Care Act via email and traditional snail mail in an effort to meet their, ahem, sales goals.

What you can do

You should stay vigilant because it’s about to get significantly more difficult to avoid getting got. The IRS announced it’s going to begin using private collection firms to handle overdue federal tax debt, a change that could effectively throw the one-step method of avoiding phony IRS agents — hang up the phone! — out the window.

The IRS has yet to make it completely clear whether it’s going to allow the collection firms it’s hired to call debtors directly. But even with this significant change, there will be a few dead giveaways that there’s a scammer on the other end of the line.

If you do owe Uncle Sam, you’ll have received a bill in the mail, and should you be one of the more unfortunate ones turned over to a legitimate collector, you’ll also get written notice that your debt has been transferred over to one of its collection firms: CBE Group, Conserve, Performant and Pioneer.

You’ll be allowed to make your payments online at IRS.gov/PayYourTaxBill, so, if you’re not being told about this option, hang up and notify the IRS.

Payments by check should be made to the “U.S. Treasury.” If you’re being asked to write one made payable to the collector or even the IRS (which can easily be altered to read “MRS.”), hang up the phone.

There will never be any threat involving police or marshals or prison.

Other ways to protect yourself

Here is the toll-free number for the IRS: 800-829-1040. If you get even the slightest inkling that someone is trying to swindle you, hang up and immediately call the agency.

If you get an email that looks like it is coming from the IRS about a tax bill, do not click on any links (which could be malware designed to infect and infiltrate your computer system and steal any payment or personal information it can get its hands on). Instead, forward the email to phishing@irs.gov and wait patiently for someone to contact you about its validity.

What to do if you’re a victim

If you think you’ve already been had, well, then you’ve got some work to do. Report the crime to your local police, file a complaint with the Federal Trade Commission and call the IRS at the number provided above to find out if you really owe them money. Contact TIGTA to report the call either at 800-366-4484 or by using its IRS Impersonation Scam Reporting website. And then rely heavily on the three Ms I outline in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves:

Minimize your exposure to fraud: If you did turn over your most sensitive personal information, request that a fraud alert be put on your credit file by all three credit bureaus — Equifax, Experian and TransUnion. You need only contact one, and it will electronically notify the other two. You might also consider a credit freeze, which is more comprehensive but cumbersome because you need to notify each credit bureau individually; lockdown of your credit report prevents thieves from opening new accounts in your name.

Remember, it’s not just the phony taxman you have to worry about whenever you pick up the phone. Fraudsters come in all shapes and sizes, and, no matter how many scam centers authorities put out of business, the ultimate guardian of the consumer is the consumer (i.e., you)! Stay vigilant. While identity theft may be the third certainty in life, with a little luck you can make it that much harder for fraudsters to get you in their maw.

We are facing an epidemic that is only going to get worse – the scourge of cyber and telephone-based scams against individuals and businesses. Scammers are becoming so sophisticated that it is difficult for even the most educated and tech-savvy individuals to avoid being conned. It is actually difficult to find someone who has not fallen for some kind of scheme that resulted in stolen money or a stolen identity.

These highly sophisticated and organized criminals are now able to assemble substantial information about an individual, their relationships with others, the products they own and the businesses they interact with. This allows scammers to create credible, convincing stories and interactions that instill confidence or fear, causing people to give out sensitive personal information, credit card information or other financial details. Some of these schemes are so involved that they span days or weeks and result in individuals wiring significant amounts of money to these villains. Other plots are based on ransomware that extorts money in exchange for the release of locked up digital information.

The result of this barrage of attacks – especially against individuals – is that many people are just shutting down. You’ve probably seen the advice in recent articles that you should hang up immediately when the caller is not recognized, because criminals are now enticing the person to say “yes,” recording their voice, then using that recording as consent to conduct illegal financial transactions. In addition, phishing scams are becoming more and more realistic, so it is not as easy as it once was to spot a fake request. SMS texting-based scams are on the rise, so individuals are becoming cautious about responding to what they receive via those modes. The bottom line: More and more people are unwilling to take an inbound call, answer an unknown email or communicate with someone on social media who asks for information.

Add to this the fact that millennials are notorious for avoiding actual “live” phone conversations, and you have a serious problem for any company trying to do outbound marketing of any sort. Sure, the direct mail will still fill up the mailbox, but virtually anything communicated electronically is now suspect.

Quite a few people I know (including myself), are taking the strategy that the only time they will buy something, renew a subscription, donate to a charitable cause or provide any personal information is when they initiate the interaction.

This has some serious implications for the insurance industry – both negative and positive. The contact center operations with predictive dialers and other advanced technologies are used extensively by many insurers, especially the Tier 1 companies. And these outbound calls are not just for marketing and prospecting, but also for existing policyholders for insurance-to-value assessments, customer satisfaction surveys and other activities. Emails are also prevalent among insurers for prospecting and for communicating with policyholders and members. Insurers, as well as companies in other industries, may face more and more resistance to these approaches over time.

If there is any silver lining in this, it comes from the enormous societal need for advice on preventing and dodging these scams and for indemnification against these types of attacks. Insurers have the opportunity, and perhaps the obligation, to determine the industry role in this area. Cyber liability coverage could be expanded significantly across all lines of business. Loss-control engineering should increasingly include expertise in these areas to help customers. Insurers should promote legislation, encourage technology solutions and find other ways to thwart this increasing threat.

It may sound like hyperbole to say that direct marketing is headed for a crash, but preemptive actions by insurers, other industries and governments need to kick into overdrive if this problem is to be solved … not just for the sake of marketing but for the protection of the customer, as well.

In the early ’60s, Roger Maris and Mickey Mantle hit a remarkable number of home runs — including famous, back-to-back four-baggers that, according to Yogi Berra, were the reason he famously quipped, “It’s déjà vu all over again.” While spring training is still a bit away, we’re in the thick of tax season, where legions of scammers are swinging for the back wall.

According to the IRS, there was a 400% increase in phishing and malware incidents during the 2016 tax season. With the April 15 filing deadline still feeling as far away as the Green Monster from home plate in Fenway Park, Berra’s other dictum — “It ain’t over till it’s over” — has never been more true.

My book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves,” goes into great detail about the various tactics cyber criminals use to lure you, but the most important thing you can do to keep yourself scam-free this tax season is educate yourself on the most prevalent risks out there.

As ever, the best advice is to file your taxes as early as possible. Tax-related identity theft is primarily aimed at grabbing your tax refund, and scammers are creative, sophisticated and persistent and move very quickly once your information is in hand. Armed with your Social Security number, date of birth and a few other pieces of your personally identifiable information, which if you have been involved in a data breach (you can check here to see warning signs and view two of your credit scores for free on Credit.com) is likely available on the Dark Web, people are furiously filing fraudulent tax returns online.

There is no bigger threat than phishing. By now, it is a home truth that there are phishers out there. Catfishing is a regular part of the popular imagination, and phishing emails hit our inboxes with the same regularity as the various promotional emails we get from retailers and media outlets.

Phishing emails take many forms, but they are most commonly pointed at getting enough of your personally identifiable information to commit fraud in your name (identity theft). They also commonly contain a link that places malware on your computer. These programs can do a variety of things (none of them good), ranging from recruiting your machine into a bot-net distributed denial-of-service attack; to placing a keystroke recorder on your computer to access bank, credit union, credit card and brokerage accounts; to gathering all the personally identifiable information on your hard drive.

Here’s what you need to know: The IRS will never send you an email to initiate any business with you. Did you hear that? NEVER. If you receive an email from the IRS, delete it. End of story. Oh, and the IRS will never initiate contact you by phone, either.

That said, there are other sources of email that may have the look and feel of a legitimate communication that are tied to other kinds of tax scams.

2. Criminal tax preparation scams

You learned how to do homework in school for this reason: Not all tax preparers are the same, and you must vet anyone you’re thinking about using well before handing over a shred of your personally identifying information. Get at least three references, check online to see if there are any reviews and call them.

Here’s why: At this time of the year, tax prep offices that are actually fronts for criminal identity theft tend to pop up around the country in strip malls and other properties and then promptly disappear a few days later. Make sure the one you choose is legit.

3. Shady tax preparation

Phishing emails may not be aimed at stealing your personally identifiable information or planting malware on your computer. They simply may be aimed at getting your attention and business through enticing (and fraudulent) offers of a really big tax refund. While these preparers may get you a big refund, it could well be based on false information.

Be on the lookout for questions about business expenses that you did not accrue, and especially watch out for signals from your preparer that you are giving him or her a figure that is “too low.”

Other soft cons of shady tax preparation include inflated deductions, claiming tax credits to which you are not entitled and declaring charitable donations you did not make. Bottom line here: We’re all connected these days, and chances are you will get caught, so just make sure you are working with someone who follows the instructions. (Yes, they’re complicated, and that’s why it’s not a bad idea to get help.)

As Berra said, “You can observe a lot by watching.” Tax season is stressful even without the threat of tax-related identity theft and other scams. It’s important to be vigilant, because, to quote Berra all over again, “If the world were perfect, it wouldn’t be.”

Full disclosure: CyberScout sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

Social media is embedded in our lives—Facebook alone had 1.79 billion daily users as of September 2016—which means cyber criminals are not far behind.

As companies increasingly rely on this digital channel for marketing, recruiting, customer service and other business functions, social media also has become a highly effective vehicle for cyber attacks. Outside of the corporate network perimeter and an organization’s control, it throws traditional security approaches out the window.

A growing category of digital risk monitoring vendors, identified by Forrester Research Inc. in a recent quarterly Wave report, are catering to this problem. According to the report, digital channels—social, mobile, web and dark web—“are now ground zero for cyber, brand and even physical attacks.”

The ways in which cyber criminals weaponize these channels are limited only by their imagination. Hackers can create fake corporate accounts for harvesting customer credentials, impersonate company executives, damage the brand’s reputation and post legitimate-looking links that contain malware.

According to Cisco’s 2016 annual security report, Facebook, for example, was the top mechanism last year for delivering malware, through social engineering, in order to gain access to organizational networks.

“(Social media) is a business technology platform, and because it’s been adopted at all levels of business … organizations have to figure out how to protect it,” says Evan Blair, co-founder and chief business officer at ZeroFOX, a digital-risk monitoring (DRM) vendor launched in 2013.

“And it’s a gold mine for intelligence on individuals,” he adds.

Social media—the ideal weapon

The sheer volume of traffic on social networks is a magnet not only for businesses but also for the criminal element.

According to the Pew Research Center, 79% of internet users are on Facebook, the most popular social network. About a third of internet users are on Instagram, and a quarter are on Twitter.

Better click-through rates and lower advertising costs, among other things, are compelling companies to throw more money at social media advertising (Hootsuite estimates social media budgets have nearly doubled, from $16 billion in 2014 to $31 billion in 2016).

But it’s not just the growing numbers of users and increased brand presence that creates an attractive playground for bad actors. It’s easy to create accounts and instantly attract followers—which means it’s easier than email for reaching a massive number of people with a phishing attack.

Adding to the problem is that social media can be highly automated because it was built on an open API (application programming interface) that allows developers access to proprietary applications.“It’s a frictionless environment that allows you to communicate immediately,” says Devin Redmond, general manager and vice president of digital risk and compliance solutions for Proofpoint, another DRM vendor.

Blair says: “Social media was built with automation in mind. You can create an account that interacts completely autonomously.”

Even though email remains the medium of choice, according to various security companies, email phishing is on the decline. Social media phishing, on the other hand, is growing.

Why organizations are at risk

Eric Olson, vice president of intelligence operations at LookingGlass, says what makes digital risk a high priority is that it’s a business risk that touches multiple facets of an organization. It not just about cybersecurity—it also involves compliance, human resources and legal, among others.

He says it’s important for security practitioners to focus on the how — e.g. phishing — rather than the channel it came from.

“You have to be able to keep eyes in all the dark corners,” Olson says.

A new technique Proofpoint identified in 2016 is angler phishing. Bad actors create a fake social media account on, say, Twitter, using stolen branding. They watch for customer service requests addressed to the legitimate account for a bank or a service like PayPal. They then tweet a reply with a link to a lookalike fake website where the customer is asked to enter login credentials.

Despite this growing threat, however, many security practitioners are not aligned with social media, Redmond says.

“The pace of adoption of social by enterprises and the pace of the risks that are evolving around that are growing much faster than people are addressing those risks,” he says.

Whatever approach they take, more security companies are likely to join in because the market is still growing.

But even savvy companies are struggling to secure these channels. The hacking of Microsoft’s Skype for Business Twitter account in 2014 is proof—the Syrian Electronic Army wasted no time tweeting negative messages after taking over the account. They got some 8,000 retweets.

“Social media is the best attack platform for a nation-state actor and sophisticated cyber criminals, not just because it’s the easiest one to leverage for compromise, but it’s also completely anonymous,” Blair says.

Redmond expects mobile to be another rising digital frontier, as more bad actors use fraudulent apps to do things like harvesting credentials.

“If you look at it through the lens of bad actors, they’ve figured out all these are effective vehicles,” he says. They don’t have to break in any more — they just have to pretend they’re someone else.

He adds, “They can do that more rapidly, at a greater scale, with less chance of detection.”

This post was written by Rodika Tollefson and first appeared on ThirdCertainty.